CN112019568A - Message forwarding method, device and communication method and system - Google Patents

Message forwarding method, device and communication method and system Download PDF

Info

Publication number
CN112019568A
CN112019568A CN202011114306.1A CN202011114306A CN112019568A CN 112019568 A CN112019568 A CN 112019568A CN 202011114306 A CN202011114306 A CN 202011114306A CN 112019568 A CN112019568 A CN 112019568A
Authority
CN
China
Prior art keywords
kcp
message
information
new
connection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011114306.1A
Other languages
Chinese (zh)
Other versions
CN112019568B (en
Inventor
李建安
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Taiyi Xingchen Information Technology Co ltd
Original Assignee
Beijing Taiyi Xingchen Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Taiyi Xingchen Information Technology Co ltd filed Critical Beijing Taiyi Xingchen Information Technology Co ltd
Priority to CN202011114306.1A priority Critical patent/CN112019568B/en
Publication of CN112019568A publication Critical patent/CN112019568A/en
Application granted granted Critical
Publication of CN112019568B publication Critical patent/CN112019568B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2212/00Encapsulation of packets

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The document discloses a message forwarding method, a message forwarding device, a message communication method and a message communication system. The message forwarding method comprises the steps of receiving an IP message to be sent to target equipment from source equipment; determining corresponding KCP example information according to the mapping relation between the IP message and the KCP; packaging the IP message according to the KCP example information to obtain a KCP message; and sending the KCP message through a safety data tunnel. The message forwarding method comprises the steps of de-encapsulating the message received through the security data tunnel according to a KCP protocol to obtain KCP data; the KCP data is an IP message; and determining target equipment according to the KCP data, and sending the IP message to the target equipment.

Description

Message forwarding method, device and communication method and system
Technical Field
The present disclosure relates to, but not limited to, the field of network communications, and in particular, to a message forwarding method and apparatus based on a KCP protocol, and a communication method and system.
Background
The TCP/IP protocol is adopted in the current network transmission. When the TCP is adopted for transmission, the TCP has a retransmission confirmation mechanism, so that the integrity of data can be ensured, but the complicated retransmission confirmation mechanism cannot improve the network environment; especially, the network environment has packet loss and delay, and the complex mechanism can further degrade the communication quality. UDP has no acknowledgement mechanism, and if packet loss occurs in a network environment, it cannot guarantee the correctness of data.
KCP is a Fast and Reliable Protocol (a Fast and Reliable ARQ Protocol), and can achieve a maximum three-fold acceleration effect at the cost of a certain bandwidth. It is characterized in that:
1) fast retransmit and acknowledge. The time of overtime retransmission is shortened, the retransmission confirmation frequency is higher, and the transmission speed is improved. However, TCP has a fast retransmission algorithm, and TCP packets are skipped 3 times before being retransmitted.
2) A retransmission is selected. When packet loss occurs, TCP can completely retransmit unacknowledged messages; and KCP is selective retransmission, only the really lost message is retransmitted.
3) The KCP protocol is not responsible for the transceiving of the underlying protocol, requiring the user to define the transmission mode of the underlying data packet. In general use, similar to the socket processing method, it is the entire application data that is fed into the KCP, using UDP as its transport protocol.
Currently, the position of the KCP protocol in the whole network is shown in fig. 1. It can be seen that in the related art scheme, to take advantage of the above-mentioned advantages of the KCP protocol, it is necessary to change the application or infrastructure communication over UDP. There are a large number of existing systems in existing networks and it is clear that such a modification is complicated and very labor intensive. In order to fully exploit the advantages of the KCP protocol mechanism while being compatible with a large number of existing applications or systems, new solutions need to be proposed.
Disclosure of Invention
The following is a summary of the subject matter described in detail herein. This summary is not intended to limit the scope of the claims.
The embodiment of the disclosure provides a message forwarding method, message forwarding equipment, a message communication method and a message communication system. The method can greatly reduce the reconstruction of the existing application or system, fully utilize the communication advantages of a KCP protocol mechanism and a safe tunnel technology, and improve the speed and reliability of data transmission between applications.
The embodiment of the present disclosure provides a message forwarding method, including,
receiving an IP message to be sent to target equipment from source equipment;
determining corresponding KCP example information according to the mapping relation between the IP message and the KCP;
packaging the IP message according to the KCP example information to obtain a KCP message;
and sending the KCP message through a safety data tunnel.
In some exemplary embodiments, the secure data tunnel comprises: an IP sec VPN tunnel;
the sending the KCP message through a safety data tunnel comprises:
and adding a new IP header to the KCP message according to an IPsec protocol to obtain an IPsec message, and sending the IPsec message through the IP sec VPN tunnel.
In some exemplary embodiments, the determining, according to the IP packet and the KCP mapping relationship, corresponding KCP instance information includes:
searching the KCP mapping relation according to the quintuple of the IP message, and determining KCP example information corresponding to the IP message; wherein the KCP instance information includes: KCP identification;
and encapsulating the IP message according to the KCP example information to obtain a KCP message, wherein the KCP message comprises the following steps:
and adding a KCP header to the IP message according to the KCP identification to obtain the KCP message.
In some exemplary embodiments, the KCP mapping relationship includes: an IP connection information table and a KCP instance information table;
the searching the KCP mapping relation according to the quintuple of the IP message and determining the KCP instance information corresponding to the IP message comprises the following steps:
and searching the IP connection information table according to the quintuple of the IP message to determine the IP connection information corresponding to the IP message, and searching the KCP instance information table according to the IP connection information to determine the corresponding KCP instance information.
In some exemplary embodiments, the searching the IP connection information table according to the quintuple of the IP packet to determine the IP connection information corresponding to the IP packet, and the searching the KCP instance information table according to the IP connection information to determine the corresponding KCP instance information include:
searching the IP connection information table according to the quintuple of the IP message, searching the KCP example information table according to the IP connection identifier in the IP connection information when the corresponding IP connection information is searched, and determining the corresponding KCP example information;
and when the corresponding IP connection information is not searched, generating a new IP connection identifier and a new KCP identifier, adding the quintuple of the IP message and the new IP connection identifier serving as new IP connection information into the IP connection information table, and adding the new IP connection identifier and the new KCP identifier serving as new KCP example information into the KCP example information table.
The embodiment of the present disclosure further provides a message forwarding method, including,
decapsulating a message received through the secure data tunnel according to a KCP protocol to obtain KCP data; the KCP data is an IP message;
and determining target equipment according to the KCP data, and sending the IP message to the target equipment.
In some exemplary embodiments, the secure data tunnel comprises: an IP sec VPN tunnel;
the decapsulating, according to a KCP protocol, a packet received through the secure data tunnel to obtain KCP data includes:
decapsulating the received IPsec message according to the IPsec protocol to obtain a KCP message;
and decapsulating the KCP message according to a KCP protocol to obtain the KCP data.
In some exemplary embodiments, the method further comprises:
decapsulating a message received through the secure data tunnel according to a KCP protocol to obtain a KCP message header;
determining corresponding KCP example information according to the mapping relation between the KCP message header and the KCP; wherein the KCP instance information includes: a KCP identifier and an IP connection identifier; the KCP mapping relationship comprises: an IP connection information table and a KCP instance information table;
wherein, the determining the corresponding KCP instance information according to the KCP message header and the KCP mapping relation comprises:
searching the KCP example information table according to the KCP identification in the KCP message header to determine the corresponding KCP example information, and when the corresponding KCP example information is searched, determining that the searched KCP example information is the corresponding KCP example information;
when the corresponding KCP instance information is not found, generating new KCP instance information and adding the new KCP instance information into the KCP instance information table; and the KCP identifier of the new KCP instance information is the KCP identifier in the KCP message header.
In some exemplary embodiments, the method further includes searching the IP connection information table according to a quintuple of the IP packet, generating a new IP connection identifier when corresponding IP connection information is not found, and adding the quintuple of the new IP packet, the new IP connection identifier, and a KCP identifier in the KCP packet header as new IP connection information into the IP connection information table;
when the corresponding IP connection information is not found, searching the KCP example information table according to the KCP identification in the KCP message header to determine the corresponding KCP example information, and when the corresponding KCP example information is found, updating the IP connection identification of the found KCP example information according to the new IP connection identification; and when the corresponding KCP example information is not searched, adding the new IP connection identification and the KCP identification in the KCP message header as new KCP example information into the KCP example information table.
The embodiment of the present disclosure further provides a communication method, including:
the source equipment sends a message;
sending the message sent by the source equipment according to the message forwarding method;
receiving a message;
and sending the received message to the target equipment according to the message forwarding method.
The embodiment of the present disclosure further provides an electronic device, which includes a memory and a processor, where the memory stores a computer program for sending or receiving a data packet, and the processor is configured to read and run the computer program for sending a data packet to execute any of the above message forwarding methods.
The embodiment of the present disclosure further provides a communication system, which includes a source device and a target device; the system also comprises a first forwarding device and a second forwarding device;
the first forwarding device is any one of the electronic devices; the second forwarding device is any one of the electronic devices;
the first forwarding equipment is set to receive the message from the source equipment, and send the message to the second forwarding equipment through a public network after processing;
the second forwarding device is configured to receive the message from the first forwarding device, process the message, and send the processed message to the target device.
Other aspects will be apparent upon reading and understanding the attached drawings and detailed description.
Drawings
FIG. 1 is a diagram illustrating a network protocol hierarchy in the related art;
fig. 2 is a schematic diagram of a network structure to which a communication method is applied in the embodiment of the present disclosure;
FIG. 3 is a flow chart of a method of communication in an embodiment of the present disclosure;
fig. 4 is a schematic diagram of a message structure of a forwarding device in an embodiment of the present disclosure;
fig. 5 is a schematic diagram of a message structure of another forwarding device in the embodiment of the present disclosure;
fig. 6 is a flow chart of message processing of a forwarding device in an embodiment of the present disclosure;
fig. 7 is a flow chart of message processing of another forwarding device in the embodiment of the present disclosure;
FIG. 8 is an example of a KCP mapping table in an embodiment of the present disclosure;
fig. 9 is a flowchart of a message forwarding method in another embodiment of the present disclosure;
fig. 10 is a flowchart of a message forwarding method in another embodiment of the present disclosure.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the accompanying drawings and specific embodiments. It should be noted that the embodiments and features of the embodiments in the present application may be arbitrarily combined with each other without conflict.
The following step numbers do not limit a specific execution order, and the execution order of some steps can be adjusted according to specific embodiments.
The method provided by the disclosed embodiment is applicable to bilateral networks, and as shown in fig. 2, two private networks can communicate with each other in a bilateral network on a public network. Two symmetrically deployed bilateral devices (forwarding devices) are generally adopted, and a secure data tunnel technology is adopted to complete communication at an IP layer, for example, IPsec VPN is used as a tunnel to complete communication. A special IPsec tunnel is established between the two networks, original IP data is encrypted into IPsec messages, and the source IP and the target IP of the new IPsec messages are public network IPs on the two devices respectively. Therefore, communication is carried out through IPsecVPN, so that the connection safety can be ensured, and the NAT penetration between public networks and the access problems of intermediate equipment such as a firewall and the like can be solved.
In some exemplary embodiments, other secure tunneling schemes may also be employed, such as: GRE tunnels, and the like.
KCP is a fast and reliable protocol to solve the problem of slow speed in the case of network congestion. By increasing the network transmission rate, a part of bandwidth is correspondingly sacrificed, and the network acceleration effect is improved. However, the KCP protocol does not specify the lower layer transport protocol itself, and generally uses UDP as the lower layer transport protocol, and this processing method is similar to a socket.
Example one
The embodiment of the present disclosure provides a data communication method, and a system network structure applied by the method is shown in fig. 2. The system comprises bilateral equipment 1 and 2, also called first forwarding equipment and second forwarding equipment, or a gateway 1 and a gateway 2, and uses a public network IP address to communicate with an extranet through a public network.
According to the KCP protocol mechanism, each network connection between the source device and the target device is associated with a KCP instance, each KCP instance having a unique KCP identity. When the devices communicate with each other, the KCP identifiers of the same network connection must be guaranteed to be the same and unique.
An embodiment of the present disclosure provides a data communication method, a communication process of which is shown in fig. 3, including:
the gateway 1 receives an IP message, and the IP message is subjected to KCP packaging and IPsec encryption and finally sent out as an IPsec message.
The gateway 2 receives the IPsec message, and according to the IPsec protocol, decapsulates (including IPsec decryption) and KCP decapsulates to obtain an IP message, and the content of the IP message is consistent with that received by the gateway 1. The IP message is sent out.
The gateway 1 and the gateway 2 have the same unique KCP identification corresponding to the same connection, and normal KCP encapsulation and decapsulation can be performed.
The processing flow of the gateway 1 (first forwarding device) is shown in fig. 4, and includes:
when the gateway 1 (first forwarding device) receives the IP packet, it parses a complete IP packet, i.e. an IP packet, from the packet, including the original IP header and IP data. And sending the IP packet into a KCP sending queue, and adding a KCP header to the IP packet at the moment to generate a KCP message. When a KCP message is sent through the IPsecVPN tunnel, a new IPsec message is generated through IPsec encryption, and the IPsec message is sent to opposite-end equipment. In the new IPsec header, the source address is the address of the gateway 1 (public network IP address), and the destination address is the address of the gateway 2 (public network IP address). Those skilled in the art will appreciate that the addresses of the gateways 1, 2 are associated with the IPsec security tunnel, the relevant configuration is completed when the tunnel is established, and other implementation details of the IPsec tunnel are not within the scope of the present disclosure.
Wherein, according to the KCP protocol, the size of the KCP header is 24 bytes, and the information of the current KCP data such as identification, sequence number, time stamp and the like can be recorded. The more critical one is a 4-byte identifier that uniquely identifies a connection. Two devices use the same connection for communication, and it is necessary to ensure the identity of the transmitted KCP message, so that the basic KCP protocol processing such as acknowledgement and retransmission can be effectively performed according to the KCP protocol mechanism.
The processing flow of the gateway 2 (second forwarding device) is shown in fig. 5, and includes:
the gateway 2 (second forwarding device) receives the IPsec message, and decrypts/decapsulates the IPsec message according to the IPsec protocol mechanism to obtain a KCP message. After the KCP packet is decapsulated and the KCP header is removed, an IP packet is obtained, where the IP packet is consistent with the IP packet received by the gateway 1 in fig. 4 and includes the original IP header and the IP data. And sending the IP message to the target equipment according to the address of the target equipment in the obtained IP message.
According to the KCP protocol mechanism, the key to the gateways 1 and 2 to normally utilize the KCP protocol mechanism is to ensure that the KCP identifier of the same connection is unique. In some exemplary embodiments, two tables are maintained, the entries of which are associated with each other, as shown in FIG. 8.
The entry of the connection table conn _ list (IP connection information table) is conn _ node, and is used to store the basic information of the connection, including the five-tuple of the IP packet and the pointer of kcp _ node. The lookup key of the table is a five-tuple of the IP message.
The KCP instance table (KCP instance information table) KCP _ list has a KCP _ node entry, is used for storing KCP protocol related information, and comprises a KCP unique identification id, a KCP instance and a conn _ node pointer. The key searched by the table is the unique identification id of the KCP.
The two entries conn _ node and kcp _ node are in one-to-one correspondence.
In some exemplary embodiments, a method for forwarding a packet by a gateway 1 (a first forwarding device), as shown in fig. 6, includes:
601, after receiving the IP message, extracting an IP quintuple;
step 602, searching a conn _ list table according to the quintuple of the IP message, if the conn _ node table is searched, executing step 610, and acquiring a KCP instance according to the corresponding relation; if not, step 620 is executed to create and associate the conn _ node and kcp _ node entries. It should be noted here that kcp _ id needs to be guaranteed to be unique.
Step 630, after obtaining the KCP instance, it encapsulates the IP packet (including IP header, IP data) into a KCP packet, and sends it to the KCP sending queue.
In step 640, the KCP transmission timer is responsible for fetching data of the KCP queue. The timer accuracy requirement can be consistent with the device messaging.
Step 641, the KCP packet taken out is encrypted by IPsec according to the IPsec protocol, and then encapsulated into a new IPsec packet to be sent. The destination IP address of the new IPsec packet is the IP address of the peer device (gateway 2).
In some exemplary embodiments, the method for forwarding a packet by the gateway 2 (second forwarding device), as shown in fig. 7, includes:
step 701, after receiving the IPsec message, decrypting/decapsulating the IPsec message to obtain a KCP message; resolving the unique identification id of the KCP from the message header of the KCP to obtain the identification id of the KCP;
step 702, searching a KCP _ list table according to the KCP identifier; if so, go to step 710, not find, go to step 720;
step 710, determining a corresponding KCP instance according to the kcP _ node table entry corresponding to the KCP identifier;
step 720, create a KCP _ node entry (in the KCP _ list table) with KCP identifier as key.
Step 711 decapsulates the KCP packet using the KCP instance to obtain KCP data, i.e. the IP packet. The IP packet is the same as the IP packet in step 601 in fig. 6.
Step 712, searching the conn _ list table according to the quintuple of the IP packet, and if the corresponding conn _ node table entry is found, executing step 730; if not, go to step 740;
step 730, forwarding the IP packet to a destination address;
step 740, create a new conn _ node entry (in the conn _ list table) and associate it with the corresponding kcp _ node entry in the kcp _ list table.
In step 630 or 711, a KCP instance is used, that is, according to the KCP protocol specification, the KCP instance performs KCP packet encapsulation or decapsulation, records information of a transmission sequence number, an acknowledgement number, timeout retransmission, and the like, and performs a related reception acknowledgement or retransmission function. The embodiment of the present disclosure only embodies the aspect of data packet encapsulation and decapsulation, and other aspects are implemented according to the related technical solutions, and the specific implementation manner is not limited, and other protocol functions of the KCP instance do not belong to the scope defined or protected by the present disclosure.
In the communication method provided by the embodiment of the present disclosure, a first forwarding device near a source device performs KCP encapsulation on received IP packet data, and the encapsulated data is sent to a KCP sending queue;
the method comprises the steps that a KCP message of a KCP queue is subjected to IPsec encryption/encapsulation at regular time through timer driving, and is sent to second forwarding equipment of a target equipment end through an IPsec VPN tunnel;
and the second forwarding equipment receives the IPsec message, performs IPsec decryption/decapsulation, and restores the encapsulated KCP message. According to the unique KCP identification, further reducing an IP message, namely the original IP message received by the first forwarding equipment;
and the second forwarding equipment forwards the IP message to the target equipment.
It can be seen that the KCP message encapsulates the entire IP message. Therefore, the data decapsulated by the KCP is a complete IP packet, and is completely the same as the original IP packet. Therefore, the process of regenerating the IP header and the TCP header does not exist, the process of calculating the checksum of the header field does not exist, and the performance expense is saved.
The KCP packet is combined with IPSec. The two are complementary, if a KCP message is directly constructed (encapsulated) to send a new IP message, there is a problem of constructing an IP header, and various problems encountered in network transmission of the new IP packet, such as problems of firewall and NAT, need to be considered. IPsec is a common IP protocol that can normally be handled through firewalls, NATs. Whereas KCP protocol mechanisms can provide acceleration functions not available with IPsec.
The KCP associates with the connection. Generally, network devices are managed based on connections, and each packet needs to be associated with a connection first and then process other services. However, the KCP packet obtained by the IPsec decryption \ decapsulation of the present invention cannot obtain the IP quintuple, so that the association with the connection cannot be performed first. The processing method for associating the KCP with the connection, which is provided by the scheme of the embodiment of the disclosure, can synchronously find the corresponding connection by searching the KCP instance first.
The accuracy requirements of the KCP timer must be high. The timer of the invention is consistent with the message receiving and sending precision, thus ensuring the received message to be sent in time without influencing the user experience. Namely, the KCP timer is triggered at a higher time interval, the KCP message is taken out from the KCP queue and sent out through the safety tunnel, and the transmission delay caused by the KCP message entering the KCP queue is reduced to the maximum extent.
Those skilled in the art can know that, in the prior art scheme, the KCP protocol mechanism implements the relevant protocol functions on top of UDP; the KCP protocol mechanism is put on an IP layer, KCP is packaged on an IP message and the related protocol function is realized through the newly added gateway equipment, so that the advantages of the KCP protocol mechanism can be fully utilized without transforming and upgrading the existing application or system on the IP layer, and the communication efficiency and reliability are improved.
Other secure tunneling protocols may also be employed in place of the IPsec tunnel in some demonstrative embodiments. For example, if a GRE tunnel is adopted, correspondingly, in the adjusting step 641, the extracted KCP packet is encapsulated according to the GRE protocol, and is encapsulated as a new GRE packet, and the new GRE packet is sent out, where the destination IP address of the new GRE packet is the IP address of the opposite-end device (gateway 2); step 701 is adjusted to perform decapsulation of the GRE packet to obtain a KCP packet.
By analogy, those skilled in the art can know that the data communication scheme described in the embodiment of the present disclosure is implemented by using other secure tunnel schemes, and the data packet is transmitted over the public network by using the secure tunnel scheme.
Example two
An embodiment of the present disclosure provides a message forwarding method, as shown in fig. 9, including,
step 901, receiving an IP packet to be sent to a target device from a source device;
step 902, determining corresponding KCP instance information according to the IP message and KCP mapping relation;
step 903, packaging the IP message according to the KCP example information to obtain a KCP message;
and 904, transmitting the KCP message through a safety data tunnel.
In some exemplary embodiments, the secure data tunnel comprises: an IP sec VPN tunnel;
the sending the KCP message through a safety data tunnel comprises:
and adding a new IP header to the KCP message according to an IPsec protocol to obtain an IPsec message, and sending the IPsec message through the IP sec VPN tunnel.
In some exemplary embodiments, the determining, according to the IP packet and the KCP mapping relationship, corresponding KCP instance information includes:
searching the KCP mapping relation according to the quintuple of the IP message, and determining KCP example information corresponding to the IP message; wherein the KCP instance information includes: KCP identification;
and encapsulating the IP message according to the KCP example information to obtain a KCP message, wherein the KCP message comprises the following steps:
and adding a KCP header to the IP message according to the KCP identification to obtain the KCP message.
In some exemplary embodiments, the KCP mapping relationship includes: an IP connection information table and a KCP instance information table;
the searching the KCP mapping relation according to the quintuple of the IP message and determining the KCP instance information corresponding to the IP message comprises the following steps:
and searching the IP connection information table according to the quintuple of the IP message to determine the IP connection information corresponding to the IP message, and searching the KCP instance information table according to the IP connection information to determine the corresponding KCP instance information.
In some exemplary embodiments, the searching the IP connection information table according to the quintuple of the IP packet to determine the IP connection information corresponding to the IP packet, and the searching the KCP instance information table according to the IP connection information to determine the corresponding KCP instance information include:
searching the IP connection information table according to the quintuple of the IP message, searching the KCP example information table according to the IP connection identifier in the IP connection information when the corresponding IP connection information is searched, and determining the corresponding KCP example information;
and when the corresponding IP connection information is not searched, generating a new IP connection identifier and a new KCP identifier, adding the quintuple of the IP message and the new IP connection identifier serving as new IP connection information into the IP connection information table, and adding the new IP connection identifier and the new KCP identifier serving as new KCP example information into the KCP example information table.
In some exemplary embodiments, the secure tunnel comprises: a GRE tunnel;
the sending the KCP message through a safety data tunnel comprises:
and adding a new IP header to the KCP message according to a GRE protocol to obtain a GRE message, and sending the GRE message through the GRE tunnel.
In some exemplary embodiments, those skilled in the art may also use other secure tunneling schemes to implement the secure transmission of the KCP packet in the public network.
EXAMPLE III
An embodiment of the present disclosure provides a message forwarding method, as shown in fig. 10, including,
101, decapsulating a message received through a secure data tunnel according to a KCP protocol to obtain KCP data; the KCP data is an IP message;
and 102, determining target equipment according to the KCP data, and sending the IP message to the target equipment.
In some exemplary embodiments, the secure data tunnel comprises: an IP sec VPN tunnel;
the decapsulating, according to a KCP protocol, a packet received through the secure data tunnel to obtain KCP data includes:
decapsulating the received IPsec message according to the IPsec protocol to obtain a KCP message;
and decapsulating the KCP message according to a KCP protocol to obtain the KCP data.
In some exemplary embodiments, the method further comprises:
decapsulating a message received through the secure data tunnel according to a KCP protocol to obtain a KCP message header;
determining corresponding KCP example information according to the mapping relation between the KCP message header and the KCP; wherein the KCP instance information includes: a KCP identifier and an IP connection identifier; the KCP mapping relationship comprises: an IP connection information table and a KCP instance information table;
wherein, the determining the corresponding KCP instance information according to the KCP message header and the KCP mapping relation comprises:
searching the KCP example information table according to the KCP identification in the KCP message header to determine the corresponding KCP example information, and when the corresponding KCP example information is searched, determining that the searched KCP example information is the corresponding KCP example information;
when the corresponding KCP instance information is not found, generating new KCP instance information and adding the new KCP instance information into the KCP instance information table; and the KCP identifier of the new KCP instance information is the KCP identifier in the KCP message header.
In some exemplary embodiments, the method further includes searching the IP connection information table according to a quintuple of the IP packet, generating a new IP connection identifier when corresponding IP connection information is not found, and adding the quintuple of the new IP packet, the new IP connection identifier, and a KCP identifier in the KCP packet header as new IP connection information into the IP connection information table;
when the corresponding IP connection information is not found, searching the KCP example information table according to the KCP identification in the KCP message header to determine the corresponding KCP example information, and when the corresponding KCP example information is found, updating the IP connection identification of the found KCP example information according to the new IP connection identification; and when the corresponding KCP example information is not searched, adding the new IP connection identification and the KCP identification in the KCP message header as new KCP example information into the KCP example information table.
In some exemplary embodiments, the secure tunnel comprises: a GRE tunnel;
the decapsulating, according to a KCP protocol, a packet received through the secure data tunnel to obtain KCP data includes:
de-encapsulating the received GRE message according to a GRE protocol to obtain a KCP message;
and decapsulating the KCP message according to a KCP protocol to obtain the KCP data.
In some exemplary embodiments, those skilled in the art may also use other secure tunneling schemes to implement the secure transmission of the KCP packet in the public network.
Example four
The embodiment of the present disclosure provides a communication method, including:
step 111, the source device sends a message;
step 112, the first forwarding device receives the message, processes and forwards the processed message according to the method described in the first embodiment or the second embodiment;
step 113, the second forwarding device receives the message from the first forwarding device;
step 114, the second forwarding device processes and forwards the processed packet to the target device according to the method described in the first or third embodiment.
EXAMPLE five
The embodiment of the present disclosure further provides a communication method, including:
step 121, the source device sends a message;
step 122, sending the message sent by the source device according to the method described in the first or second embodiment;
step 123, receiving a message;
step 124, the received message is sent to the target device according to the method of the first or third embodiment.
EXAMPLE six
The embodiment of the present disclosure further provides a message forwarding apparatus, including,
a receiving module 131, configured to receive an IP packet from a source device to be sent to a target device;
a KCP encapsulation module 132 configured to determine corresponding KCP instance information according to the IP packet and the KCP mapping relationship; packaging the IP message according to the KCP example information to obtain a KCP message;
the sending module 133 is configured to send the KCP packet through a secure data tunnel.
In some exemplary embodiments, the receiving module 131 is further configured to decapsulate, according to a KCP protocol, a packet received through the secure data tunnel to obtain KCP data; the KCP data is an IP message;
the sending module 133 is further configured to determine a target device according to the KCP data, and send the IP packet to the target device.
EXAMPLE seven
The embodiment of the present disclosure further provides an electronic device, which includes a memory and a processor, where the memory stores a computer program for sending or receiving a data packet, and the processor is configured to read and run the computer program for sending a data packet to execute the message forwarding method according to any one of the first and second embodiments.
Example eight
The embodiment of the present disclosure further provides an electronic device, which includes a memory and a processor, where the memory stores a computer program for sending or receiving a data packet, and the processor is configured to read and run the computer program for sending a data packet to execute the message forwarding method according to any one of the first to third embodiments.
Example nine
The embodiment of the present disclosure further provides a communication system, which includes a source device and a target device; the system also comprises a first forwarding device and a second forwarding device;
the first forwarding device is the electronic device of embodiment seven; the second forwarding device is the electronic device described in the eighth embodiment;
the first forwarding equipment is set to receive the message from the source equipment, and send the message to the second forwarding equipment through a public network after processing;
the second forwarding device is configured to receive the message from the first forwarding device, process the message, and send the processed message to the target device.
Example ten
The embodiment of the present disclosure further provides a communication system, which includes a source device and a target device; the system also comprises a first forwarding device and a second forwarding device;
the first forwarding device is the apparatus of embodiment six; the second forwarding device is the apparatus described in the sixth embodiment;
the first forwarding device is configured to receive the message from the source device, process the message and send the processed message to the second forwarding device through the public network;
the second forwarding device is configured to receive the message from the first forwarding device, process the message, and send the processed message to the target device.
Compared with the prior art, the invention has the advantages that:
1. the deployment is simple. In the symmetrical network deployment, the device of the invention can be implanted to have good acceleration effect without changing the network environment at all.
2. The IPsec message or other safety tunnel message transmission is adopted, and the message cannot be discarded by the intermediate equipment.
3. The original performance is not affected. The processed object is an IP message, the interior of the message cannot be modified, and the message transmission process is complete all the time. Therefore, even in an environment without packet loss or delay, there is no performance degradation.
It will be understood by those of ordinary skill in the art that all or some of the steps of the methods, systems, functional modules/units in the devices disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed by several physical components in cooperation. Some or all of the components may be implemented as software executed by a processor, such as a digital signal processor or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as is well known to those of ordinary skill in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, Digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by a computer. In addition, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media as known to those skilled in the art.

Claims (13)

1. A message forwarding method is characterized by comprising the following steps,
receiving an IP message to be sent to target equipment from source equipment;
determining corresponding KCP example information according to the mapping relation between the IP message and the KCP;
packaging the IP message according to the KCP example information to obtain a KCP message;
and sending the KCP message through a safety data tunnel.
2. The method of claim 1,
the secure data tunnel includes: an IP sec VPN tunnel;
the sending the KCP message through a safety data tunnel comprises:
and adding a new IP header to the KCP message according to an IPsec protocol to obtain an IPsec message, and sending the IPsec message through the IP sec VPN tunnel.
3. The method according to claim 1 or 2,
determining corresponding KCP instance information according to the IP message and KCP mapping relation, comprising:
searching the KCP mapping relation according to the quintuple of the IP message, and determining KCP example information corresponding to the IP message; wherein the KCP instance information includes: KCP identification;
and encapsulating the IP message according to the KCP example information to obtain a KCP message, wherein the KCP message comprises the following steps:
and adding a KCP header to the IP message according to the KCP identification to obtain the KCP message.
4. The method of claim 3,
the KCP mapping relationship comprises: an IP connection information table and a KCP instance information table;
the searching the KCP mapping relation according to the quintuple of the IP message and determining the KCP instance information corresponding to the IP message comprises the following steps:
and searching the IP connection information table according to the quintuple of the IP message to determine the IP connection information corresponding to the IP message, and searching the KCP instance information table according to the IP connection information to determine the corresponding KCP instance information.
5. The method of claim 4,
the searching the IP connection information table according to the quintuple of the IP message to determine the IP connection information corresponding to the IP message, and searching the KCP instance information table according to the IP connection information to determine the corresponding KCP instance information comprises:
searching the IP connection information table according to the quintuple of the IP message, searching the KCP example information table according to the IP connection identifier in the IP connection information when the corresponding IP connection information is searched, and determining the corresponding KCP example information;
and when the corresponding IP connection information is not searched, generating a new IP connection identifier and a new KCP identifier, adding the quintuple of the IP message and the new IP connection identifier serving as new IP connection information into the IP connection information table, and adding the new IP connection identifier and the new KCP identifier serving as new KCP example information into the KCP example information table.
6. A message forwarding method is characterized by comprising the following steps,
decapsulating a message received through the secure data tunnel according to a KCP protocol to obtain KCP data; the KCP data is an IP message;
and determining target equipment according to the KCP data, and sending the IP message to the target equipment.
7. The method of claim 6,
the secure data tunnel includes: an IP sec VPN tunnel;
the decapsulating, according to a KCP protocol, a packet received through the secure data tunnel to obtain KCP data includes:
decapsulating the received IPsec message according to the IPsec protocol to obtain a KCP message;
and decapsulating the KCP message according to a KCP protocol to obtain the KCP data.
8. The method according to claim 6 or 7,
the method further comprises the following steps:
decapsulating a message received through the secure data tunnel according to a KCP protocol to obtain a KCP message header;
determining corresponding KCP example information according to the mapping relation between the KCP message header and the KCP; wherein the KCP instance information includes: a KCP identifier and an IP connection identifier; the KCP mapping relationship comprises: an IP connection information table and a KCP instance information table;
wherein, the determining the corresponding KCP instance information according to the KCP message header and the KCP mapping relation comprises:
searching the KCP example information table according to the KCP identification in the KCP message header to determine the corresponding KCP example information, and when the corresponding KCP example information is searched, determining that the searched KCP example information is the corresponding KCP example information;
when the corresponding KCP instance information is not found, generating new KCP instance information and adding the new KCP instance information into the KCP instance information table; and the KCP identifier of the new KCP instance information is the KCP identifier in the KCP message header.
9. The method of claim 8,
the method also comprises the steps of searching the IP connection information table according to the quintuple of the IP message, generating a new IP connection identifier when the corresponding IP connection information is not searched, and adding the quintuple of the new IP message, the new IP connection identifier and the KCP identifier in the KCP message header as new IP connection information into the IP connection information table;
when the corresponding IP connection information is not found, searching the KCP example information table according to the KCP identification in the KCP message header to determine the corresponding KCP example information, and when the corresponding KCP example information is found, updating the IP connection identification of the found KCP example information according to the new IP connection identification; and when the corresponding KCP example information is not searched, adding the new IP connection identification and the KCP identification in the KCP message header as new KCP example information into the KCP example information table.
10. A method of communication, comprising:
the source equipment sends a message;
sending a message sent by a source device according to the method of any one of claims 1 to 6;
receiving a message;
transmitting the received message to the target device according to the method of any of claims 7-9.
11. An electronic device comprising a memory and a processor, wherein the memory stores a computer program for data packet transmission or for data packet reception, and the processor is configured to read and execute the computer program for data packet transmission to perform the method of any one of claims 1 to 6.
12. An electronic device comprising a memory and a processor, wherein the memory stores a computer program for data packet transmission or for data packet reception, and the processor is configured to read and execute the computer program for data packet transmission to perform the method of any one of claims 7 to 9.
13. A communication system comprising a source device and a target device; the system is characterized by also comprising a first forwarding device and a second forwarding device;
the first forwarding device is the electronic device of claim 11; the second forwarding device is the electronic device of claim 12;
the first forwarding equipment is set to receive the message from the source equipment, and send the message to the second forwarding equipment through a public network after processing;
the second forwarding device is configured to receive the message from the first forwarding device, process the message, and send the processed message to the target device.
CN202011114306.1A 2020-10-19 2020-10-19 Message forwarding method, device and communication method and system Active CN112019568B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011114306.1A CN112019568B (en) 2020-10-19 2020-10-19 Message forwarding method, device and communication method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011114306.1A CN112019568B (en) 2020-10-19 2020-10-19 Message forwarding method, device and communication method and system

Publications (2)

Publication Number Publication Date
CN112019568A true CN112019568A (en) 2020-12-01
CN112019568B CN112019568B (en) 2021-02-02

Family

ID=73528129

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011114306.1A Active CN112019568B (en) 2020-10-19 2020-10-19 Message forwarding method, device and communication method and system

Country Status (1)

Country Link
CN (1) CN112019568B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115955517A (en) * 2023-03-10 2023-04-11 北京太一星晨信息技术有限公司 Message processing method and system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150163082A1 (en) * 2013-12-06 2015-06-11 Lg Electronics Inc. Apparatus and method for sending and receiving broadcast signals
CN107682260A (en) * 2017-10-23 2018-02-09 深圳智多豚物联技术有限公司 A kind of fast and reliable network communication method of multipath
CN108848090A (en) * 2018-06-15 2018-11-20 京信通信系统(中国)有限公司 Message forwarding method, gateway and system based on IPSEC
CN110049059A (en) * 2019-04-26 2019-07-23 深圳市网心科技有限公司 A kind of outer net equipment and Intranet communication between devices method and relevant apparatus
CN110401645A (en) * 2019-07-15 2019-11-01 珠海市杰理科技股份有限公司 Data penetrate transmission method, device, system, client and storage medium
CN111103834A (en) * 2019-12-25 2020-05-05 北京航天云路有限公司 Method for reducing remote control delay of industrial control equipment based on KCP protocol

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150163082A1 (en) * 2013-12-06 2015-06-11 Lg Electronics Inc. Apparatus and method for sending and receiving broadcast signals
CN107682260A (en) * 2017-10-23 2018-02-09 深圳智多豚物联技术有限公司 A kind of fast and reliable network communication method of multipath
CN108848090A (en) * 2018-06-15 2018-11-20 京信通信系统(中国)有限公司 Message forwarding method, gateway and system based on IPSEC
CN110049059A (en) * 2019-04-26 2019-07-23 深圳市网心科技有限公司 A kind of outer net equipment and Intranet communication between devices method and relevant apparatus
CN110401645A (en) * 2019-07-15 2019-11-01 珠海市杰理科技股份有限公司 Data penetrate transmission method, device, system, client and storage medium
CN111103834A (en) * 2019-12-25 2020-05-05 北京航天云路有限公司 Method for reducing remote control delay of industrial control equipment based on KCP protocol

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115955517A (en) * 2023-03-10 2023-04-11 北京太一星晨信息技术有限公司 Message processing method and system
CN115955517B (en) * 2023-03-10 2023-07-28 北京太一星晨信息技术有限公司 Message processing method and system

Also Published As

Publication number Publication date
CN112019568B (en) 2021-02-02

Similar Documents

Publication Publication Date Title
US20180288179A1 (en) Proxy for serving internet-of-things (iot) devices
US7434045B1 (en) Method and apparatus for indexing an inbound security association database
KR20070026331A (en) System, apparatus and method for establishing a secured communications link to form a virtual private network at a network protocol layer other than that at which packets are filtered
JP4814489B2 (en) Method, system and computer product for processing packet with layered header
CN107770072B (en) Method and equipment for sending and receiving message
US20140294018A1 (en) Protocol for layer two multiple network links tunnelling
CN109412927B (en) Multi-VPN data transmission method and device and network equipment
US11418951B2 (en) Method for identifying encrypted data stream, device, storage medium and system
EP4057576A1 (en) Packet encapsulating method and apparatus, and packet decapsulating method and apparatus
CN114024741A (en) Request processing method and device, flow proxy terminal, equipment and readable storage medium
CN112019568B (en) Message forwarding method, device and communication method and system
CN104184646A (en) VPN data interaction method and system and VPN data interaction device
JP2008252393A (en) Communication terminal device, distribution device, error notifying method, and error notification program
US9419891B2 (en) Virtual private network communication system, routing device and method thereof
US20210281665A1 (en) Transmission Control Protocol (TCP) Acknowledgement (ACK) Packet Suppression
CN112600802B (en) SRv6 encrypted message and SRv6 message encryption and decryption methods and devices
CN116527405B (en) SRV6 message encryption transmission method and device and electronic equipment
EP3893435B1 (en) Method and apparatus for processing ioam information
CN111917621A (en) Communication method and system for network management server and network element of communication equipment
WO2021208088A1 (en) Method and apparatus for security communication
CN112242943B (en) IPSec tunnel establishment method and device, branch equipment and center-end equipment
CN113890824A (en) Network acceleration method, network acceleration device, gateway equipment and computer readable storage medium
US8627061B1 (en) Method and system for employing a fixed IP address based encryption device in a dynamic IP address based network
CN114978643B (en) Communication method, network equipment and storage medium
KR100522090B1 (en) METHOD FOR SECURING PAEKETS IN IPv6 LAYER

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant